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j Load Servlet properties from the properties file 



Create a hash table (name, value pairs) with Pliers for the Engine 
including HTTP headers, Concern type, client IP address, HTTP method (GET 
and SET) and ihe actual data in the request 



Identify if the data has been signed. If not signed, call Filter Engine with the 
hash table 



If signed, UW. decode ihe PKCSS7 message received from the Plug-In and 
insert it into the hash table ; 



g^O _ .gall the Filter Engine with the hash table 

sic- 



--Process the return value from the Filter Engine 



If the return value from the Filter Engine indicates that the web application has 
" teen called, then display the next page 



^ <T I If the return value from the Filter Engine indicates than* . page needs to be 

[signed, the state of the Filter Engine is stored m a cookie and the page with the 
Plug-In is displayed 



~T i . e rnm th* Filter Engine indicates that the Client Certificate is 

next page 



^■p \t™ «H other values o< except ions, display error p»ge to «1» client- 
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Filler Engine Startup Stops 



<£0 HE-oads Filter Engine properties from the properties file 



tfjtf-* T)pen log files 



<pJ^ - qoad SSL or Utility Certificates 



- -i^oad RMI server Policy File 



<£[® "**X-oad Rules files into the memory 



<g$~ Validate Rules to verify correct formatting 



The Filter Engine Interface is now ready to receive requests 



Filter Engine Processing Steps. 



-Receives HTTP Request data and the State from the Servlet 



oft 



qd 1 -. 



If the State passed from the Servlet is FE_NEW_REQUEST, the filter Engine 
compares the request against the signing rules and determines whether the 
request has to be signed or not. It builds the Return Object specified in the 
FE_NEW_REQU£ST State, 



If the State passed in from the Servlet is FE_SIGNED.DAT A, then it calls the 
Bank Interface to check the status of the Certificate. After interacting with the 
Identrus network, the Bank Interface returns the status. The status and the data 
in the CMS message are put into a Return Object and sent to the Servlet 



If the State passed from the Servlet is FE_REQUEST_CHECICED, indicating 
the final stage of a signed transaction, the Web Application is called. The 
original page is retrieved from the Web Application and its content is returned 
to the Servlet in a Return Object 



Log all signed r equest to the event log and all errors to the error log 
All exceptions are returned to the Servlet as a part of the Return Object 
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Bank Interface Startup Steps 



0— -toads Bank Interface properties from the properties file 



..^oad SSL or Utility Certificates 



j(6^ 'fOpen log files 

\\J% 4^Loa4 RMI setver policy File 
[\\° 



Load cryptographic modules, eilher software or hardware (Hardware Sccuriry 
Module API) as specified in the properties file 



At this stage the Bank Interface is ready to receive service request 



Call Bank Interface service manager with the DSMS request thai contains the 
name of the service, mode of the service and the message 



il 
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| y ^ptafry. Re | yin8 Custom er and Root Certificate f rom 

J ^ - r v e"fy signature o n lh e CMS messa^ 

I ^ Certificat e -in S the Issuins 



Extension, which is set bv rhe A,,rhrJ;7"."V"™' " ■ JclV4Ce Loc at< 
defined in ihe certlficale Informat '°" *«e» (AlA) 

og the OCSP request to the tmn^,;^ Jog 



ificate signed by 
I ' q - UeS . lS 5° ntain a Service Locator 

extension 



" o e A75 0CSp / e fP°nse from the responder and verify the 
OCSP Responded Certificate v 



^es?^^ COnneCl5 ° n l ° lhe 0CSP ponder 



and send the OCSP 



signature using the 



Get the status of the certificate from the Response 



- tog the OCSP response to .he transaction log 
, -^fthestatus of all ,„e , esponses are ooon nn ,^^7 



Log all signed request to the event log and all 



errors to the error log 



All exceptions are mumei , 0 lhe ^ x . ^ of ^ ^ ^ 



'5 
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\9 r 



1* 



Description 

User clicks 'Submit' button on HTML Form in Web Browser 



Web Browser posts form data to SDK Web Server 



SDK. Web Server passes all requests to Servlet. 
Servlet passes request to Filter Engine. 



Filter Engine creates a Return-to-Browser URL (as a GET w.th 
parameters for data) representing the data of the original POST or 
GET form posting and returns it along with instructions to get the 
data signed to the Servlet . .. 



Servlet builds a response with 

1 An Applet tag pointing to the Client Interface Applet OK 
2. A call to a browser plug-in and the arguments Return-to- 
Browser URL and the data to sign 



Protocol.- 



HTML UI 



HTTP 



RMI 



RMl 



Servlet 



SDK. Web Server returns the Servlei's response to the Web 
Browser. 



HTTP 



Web Browser displays the HTML Page (requests the Applet if 

necessary) _ 

Web browser displays Client Interface Applet or activates the 

plug-in, . 
The arguments are the data to sign and possibly a URL 



Client Interface (applet or plugin) calls Smart Card API to request 
that the Smart Card sign an SHA-I hash of the form data. 



User enters PIN when driver ask for it. 



Smart Card API returns signed form data to Client Interface. 



Client Interface makes a HTTP connection to the SD1( Web 
Server and submits the signed form data. 



SDK. Web Se rver passes request to Servlet 
Servlet passes request to Filter Engine. 



Filter Engine calls Bank Interface with signed data^ 



GUI 



Client Interface 



OS Dialog 



Client Interface 



HTTP 



Servlet 



RMI 
RMI 
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^24 HSM OS Driver calls HSM to perform signature. 



The Bank Interface calls the Open Card API to request that the 
HSM sign an SHA-1 hash of the request to the bank. 



^ Open Card API calls HSM OS Driver 



%b HSM OS Driver returns signed request to Open Card API 



^) * I Open Card API returns signed request to Bank Interface 



Bank Interface calls the relying party's bank 



Java Function Call 



Java Native Call 



OS-Level Hardware 
Call 



Java Native Call 



Java Function Call 



50 

t 33° 
1- 



2& Relying pany's banfc calls tte issuing parry *s bank. 



I Issuing party's bank returns a signed response 10 the relying 
party's bank. __ 



Relying pany's bank then calls the root. 



Root remms a signed response to the relying pany's bank. 



>1 



Warranty/Status 
Check 



Warramy/OCSP 



Warranty/OCSP 



Warranty/OCSP 



Relying pany's bank returns a signed response to the Bank 
Interface. 



yL I Bank Interface validates the signed data and then records the 
transaction in the log. ^ 



I Bank Interface validates the signed data and then stores the 
signed data and the signed response from the rely ing party' s bank 
into the SDK's database. 



Bank Interface returns an OK or failure result to Filger Engine 



j^XL I Filter Engine returns failure result to Servlet or passes on initial 
request to App Server. 



- Servlet builds response indicating failure for SDK Web Server. 



SDK Web Server returns servlet response to the browser if 
failure. _ 



45 I Web Appli cation's Web Server calls the Web Application 

46 I Web Application generates and returns its response. 



47 



Web Application's Web Server returns the response to the Filter 
E ngi ne 



Warranty/OCSP 



Warranty/Status 
Check 



File I/O 



JDBC 



RMl 



RMl 



Servlet 



HTTP 



ISA 



ISA 



HTTP 
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48 


Filter Engine returns response to Servlet. 


RMl 


49 


Servlet returns response to SDK Web Server 


Servlet 


50 


SDK Web Server returns response to Web Browser 


HTTP 



PAGE 28131 ' RCVD AT 11/14/2005 6:52:09 PM [Eastern Standard Time] ' SVR:USPTO-EFXRF-6/30 " DNiS:2738300 * CSID :4 1 55435472 * DURATION (mm-ss):08-56 

BEST AVAILABLE COPY 



Nov-14-05 03:59pm 



Froni-SONNENSCHEIN NATH ROSENTHAL 



4155435472 



T-285 P. 29/31 F-905 



REPLACEMENT SHEET 

Serial No„ 09/657.604 
Filed: September 8. 2Q0Q 
inventors" JacKson Brandenburg et al 
Sneet 15 of 19 




PAGE 29/31 * RCVD AT 11/14/2005 6:52:09 PM [Eastern Standard Time] * SVR:USPTO-EFXRF«6/30 * DNIS:2738300 * CSID:4155435472 * DURATION (mm-ss):08-56 



Nov-14-05 03:59pm Frora-SONNENSCHEIN NATH ROSENTHAL 



4155435472 



REPLACEMENT SHEET 

Senal No.: 09/657,604 
Filed: September 8, 2000 
inventor Jackson Brandenburg et ai 
Sheet 16 of 19 



T-285 P. 30/31 F-905 



f<0\ 'X 



^ £^b% Web Browser sends request to Web Server. 



X! Web server forwards request to Web Application. 



1*1 



Description 



User requests form that will require signing when submitted. 



Protocol 



HTML UI 



Web Application returns an HTML page for the web server to 
return which references the Client Interface 



K Web Server returns the HTML Page to Web Browser. 



Web Browser requests Client Interface from Web Server. 



Web Server retrieves Client Interface. 



21 



Web Server returns Client Interface. 



User clicks the submit and sign button in the web page. 



J*^ Web Browser calls Client Interface. 



^ Mi I Client Interface calls Windows PC/SC to have Smart Card sign 
data. _ 



^1 User enters PIN. 



J^l Windows PC/SC calls Smart Card to sign data. 



1 Windows PC/SC returns signed data to Client Interface 



fg( \ Client Interface returns signed data. 



HTTP 



Sa 



Sa 



HTTP 



HTTP 



OS File System 



HTTP 



HTML Ul 



Client Interface 
Technology 



OS API 



OS Dialog 



OS-Level Hardware 
Call 



OS API 



Client Interface 
Technology 



- I Web Browser posts signed data. 



Web server passes signed posting to Web Application. 



Integration Code added to the Web Application calls the Bank 
Interface to verify the signature on the form. 



{ 



j£ 1 Bank Interface calls HSM OS Driver to sign request. 



0 - <fa\ HSM OS Driver calls HSM to sign request. 



HTTP 



ISA 



Bank Interface 
Technology 



OS-API 



OS-Level Hardware 
Call 
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^ \ HSM OS Driver returns signed request to Bank Interface 

^5>> Bank Interface caUs fefr ^ ^ arQr ' s Sank 



Party's Bank 



Relying Party's Bank calls the Root. 



^ W Relying Party's Bank calls the Issuing Party's Bank. 
^ \A i ssu - m g parry's Bank returns a signed response to the Relying 



Root returns signed response to Relying Party's Bank 



Relying Party's Bank returns signed response to the Bank 



OS-API 
Warranty/Status 



Warramy/OCSP 



Warranty/OCSP 



Warranty/OCSP 



Bank Interface stores the signed data and the signed OK response 
from the relying party's bank into the Signed Documents 
repository. , . 



^sfi, ^ 1 Bart k interface writes transaction log message 



Bank Interface returns result to Web Application. 



I Web Application interprets the form post and returns the next 



page xo the Web Server or an error. 



f^-0* p3\| Web Server remrns the page to the Web Browser. 



Warranty/OCSP 



Warrant/Status 



Database-Access 
API 



File I/O 



Bank Interface 
Technology 



ISA 



HTTP 



PAGE 31/31 ' RCVDAT 11/14/2005 6:52:09 PM [Eastern Standard Time] * SVR:USPTO-EFXRF-6/30 * DNIS:2738300 * CSID:4155435472 * DURATION (mm«s):08-56 



